Tech-support emails accessed by HuffPost India prove that the biometric identity of an Aadhaar operator were stolen and misused to access the UIDAI software at various locations in India.

JIND, Haryana — If you go by the Unique Identification Authority of India (UIDAI)’s record of each time Vikram Sheokhand pressed his thumb down on a biometric reader for an Aadhaar-enabled transaction, on November 12 2018 he was at a Ratnakar Bank branch, a Yes Bank branch, a State Bank of India branch in Haryana where he lives, and also at the Madhya Pradesh State Electronics Development Corporation, headquartered in Arera Hills in Bhopal — each transaction separated by a few hours.

Yet on that day Sheokhand insists, and eyewitnesses concur, he spent the day at Uchana village, in Jind district, where he worked seven hour shifts as an Aadhaar enrollment operator at the local State Bank of India office.

But if Sheokhand was in Uchana, how were his fingerprints used in Aadhaar transactions in places separated by hundreds of kilometres?

“I am not a ghost who can travel from Jind to Madhya Pradesh in less than a second and simultaneously work in SBI’s branch in Uchana,” Sheokhand told HuffPost India in an interview last week.

Tech-support emails accessed by HuffPost India showthe UIDAI has confirmed that Sheokhand’s credentials were used in multiple places in a single day, on at least one other day, November 8 2018. For this reason, on Nov 13 2018, the UIDAI barred Sheokhand from working as an enrolment operator for five years. Yet strangers continue to try to use his digital fingerprints in different banks across the country.

By blacklisting Sheokhand, the UIDAI admitted that it is possible to impersonate someone, and steal their Aadhaar-based identity, by stealing their fingerprints.

The UIDAI is yet to provide an explanation for how such a breach is possible — given that one unique, irreplaceable, verifiable, digital identity, based on each of our unique fingerprints and irises, forms the cornerstone for most of Aadhaar’s overstated claims.

“I cannot provide you with any information, any justification, or rebuttal on the issue,” Mohit Kumar, FIA’s Technical In-charge for Aadhaar said. “All I can tell you is that we have submitted details pertaining to Vikram’s case to SBI and to UIDAI, who are investigating the case.”

The case was first reported in the Times of India. Now, HuffPost India hasaccessed previously undisclosed documents, including Sheokhand’s Aadhaar authentication logs obtained from the UIDAI, his correspondence with the UIDAI, and first information reports obtained from the Haryana police, to establish that:

The sanctity of Aadhaar biometric authentication is broken as impersonators can easily bypass the system using someone else’s biometrics.

The Aadhaar system is unable to distinguish between a “live” fingerprint captured by a person pressing their thumb to a reader, and a digital copy of the fingerprint stored on a computer. This is despite the UIDAI rolling out security updates in 2017 to plug precisely this vulnerability.

The integrity of the information stored in the UIDAI’s Central Identities Repository (CIDR) has been compromised, as cyber-criminals with the biometric credentials of an enrolment operator like Sheokhand can enrol people into the system without furnishing proper proof.

The theft of a citizen’s biometrics is permanent and irretrievable — rendering them permanently vulnerable to cyber-theft and potentially unemployed.

The UIDAI has provided Sheokhand with no answers beyond advising him to “lock” his biometrics, a feature that temporarily disables biometric aadhaar authentication. This defies the principal justification for gathering the biometrics of over 1 billion Indians in the first place. Users can “unlock” their biometrics at will, but the process often takes several minutes.

Yet, in a cruel twist of fate, Sheokhand’s life and livelihood depend on him using his biometrics several times a day. Sheokhand lost his job as an Aadhaar enrolment operator soon after he was blacklisted by the UIDAI. He now works as a computer operator in a rural citizen service centre to help citizens access schemes like old-age pensions, healthcare and school scholarships — for which he needs his biometrics to be authenticated, in order to access specific government portals.

“I feel imprisoned for life as I cannot do any other job except where I have to lock and unlock my biometrics every time I have to offer services to citizens,” said Sheokhand, who never went to college and so has limited skills.

Even so, Sheokhand said he frequently receives automated email alerts — like many of us receive each time we use a debit card — informing him that someone has been trying to log into the Aadhaar system using his fingerprints; suggesting that digital copies of his fingerprints are still at large.

“What if someone misuses my biometrics and frames me in some major financial fraud, or to plans some major terror activity?” Sheokhand said. “I am terrified everytime I unlock my biometrics on the UIDAI server.”

A UIDAI email to Vikram Sheokhand informing him that someone has tried to use his fingerprint at a Yes Bank branch. Sheokhand told HuffPost India he had never visited such a branch.

Broken Enrolment

At its heart, the veracity of the information stored in India’s Aadhaar system comes down to the integrity of the enrolment software, called the Enrolment Client Multi-Platform or (ECMP).

A UIDAI document, titled Installation and Configuration of Aadhaar Enrolment Client, explains that an operator must first register with the UIDAI and then download their biometrics onto a certified enrolment computer. The operator’s biometrics and their unique operator identity number are then locally stored on the computer as a “credential file”.

The operator is then authorised to use that specific computer to enrol new users to Aadhaar. Each time an operator enrols a new user, they must “sign off” by pressing their finger onto a biometric reader. The ECMP then matches the operator’s fingerprint with a digital version of their fingerprint stored in their credential file.

If the two prints match, the ECMP accepts the enrolment, which is then sent on to the UIDAI servers for verification.

A UIDAI document explaining the on-boarding process for enrolment operators like Vikram Sheokhand.

In Sheokhand’s case, it appears that his credential file has been stolen and has been used to enrol people to Aadhaar without his knowledge.

The malicious software, HuffPost India had reported at the time, was freely available for as little as Rs 2,500.

“This is a straightforward, business-like, and utilitarian hack,” Gustaf Björksten, Chief Technologist at Access Now, a global technology policy and advocacy group, told HuffPost India at the time. “Having examined the entirety of the code, it is my opinion that the patch is the work of more than one coder.”

The UIDAI had refuted HuffPost India’s findings in a series of poorly phrased, and completely unsubstantiated, tweets..

Now Sheokhand’s case, UIDAI error reports and email correspondence, indicate that Sheokhand’s stolen credentials were probably plugged into this malicious software and then used to fraudulently enrol new users to the Aadhaar database.

Sheokhand first learnt that his biometrics had been stolen on November 14 2018, a day after the UIDAI revoked his access to the Aadhaar enrolment system for logging in from multiple locations on November 12 2018. Curiously, in a subsequent email, UIDAI said he was barred because his ID was used in multiple occasions on Nov 8 2018.

When HuffPost India analysed Sheokhand’s logs, we found more instances of his ID being used from multiple occasions — indicating his credentials were misused for a while before the UIDAI caught on, and the Aadhaar fraud monitoring system not as robust as the UIDAI claims.

A month later, on 28 December 2018, the authority fined Sheokhand over Rs 33 lakh, for uploading fraudulent documents on 333 different occasions — each carrying a penalty of Rs 10,000. The UIDAI also claimed to have found another 304 cases, carrying a penalty of Rs 25 each, in which the scans of documents uploaded were found to be of poor quality, and an additional 9 miscellaneous errors — also carrying a penalty of Rs 25 each.

In a December 29 2018 email to UIDAI, O S Rana, an executive with FIA Technology Systems, Sheokhand’s former employer, noted that only 1 error of these 646 errors could be directly traced back to Sheokhand.

As for the rest, Rana wrote, “his ID has been misused by some fraudster on other stations, and he has already put complaint to UIDAI and police against this issue.”

“Only one error belongs to our station ID, which was allotted by you,” Rana concluded. HuffPost India has a copy of the email.

In his email to UIDAI, a FIA representative notes that only one of the violations attributed to Vikram Sheokhand correspond to the actual enrolment station where he worked. The rest have clearly been done by fraudsters. HuffPost India has redacted personal identifiers from this email.

A station ID is a unique code that corresponds to a particular place — say a bank branch. This ‘station ID’ is important because it makes it easy to verify if a particular Aadhaar enrolment number was generated from the SBI branch were Sheokhand worked.

Every Aadhaar enrolment number has the following format: the first four digits correspond to the “registrar” or principle organisation where the enrolment has occurred — in this case, the State Bank of India. The next five digits correspond to the specific station — in this case, the Uchana branch where Sheokhand worked — where the enrolment took place.

The remaining digits correspond to the sequence number from a particular enrolment centre, and the date and time when the enrolment occured. Each enrolment id is also tagged with the unique ID of the enrolment operator.

Of the 646 incorrect enrolments flagged by the UIDAI, only one incorrect enrolment number contained Sheokhand’s station id, according to UIDAI documents seen by HuffPost India. The remaining 645 enrolments have occurred in other enrolment stations, but are tagged with Sheokhand’s operator ID — conclusively proving that Sheokhand’s credentials had been stolen.

“My biometrics were authenticated successfully at even places about which I never heard before,” said Sheokhand. “Somedays, my biometrics were authenticated over 47 times on a single day without my knowledge. This is scary.”

The UIDAI is yet to confirm if they have dropped the Rs 33 lakh fine imposed on Sheokhand.

HuffPost India emailed the UIDAI a detailed list of questions, including if the actual perpetrators had been found. This copy will be updated if the UIDAI responds.

Is Aadhaar Safe?

In short, No.

The UIDAI routinely deflects allegations of data-theft by claiming that its own date repositories, like the CIDR, have not been breached. Yet, the Aadhaar eco-system is so porous that all the information collected by the authority routinely leaks out into the public domain.

Earlier this week, French security expert Robert Baptiste, who goes by the name Elliot Anderson, detailed an exploit that exposed the Aadhaar numbers and personal details of over 6 million Indians.

Gulshan Rai, Chief Information Security Office at the Prime Minister’s Office, conceded as much in a brief interview with HuffPost India.

“Nothing can be 100%. There is always some vulnerability,” Rai said, pointing at a reporter’s sleevless sweater to better illustrate his point. “Your arms are vulnerable, your sweater is the CIDR — that is more secure.”

Yet as evidence of repeated breaches and fraud mount, the UIDAI’s claims on the security of the Aadhaar system appear increasingly threadbare.